Primed for Crime on the Internet

As I was checking my E-mail the other day, I ran across a message from the industry-forecasting manager of IBM, Europe. It was a great nugget of information on an emerging market. But as interesting as the message was, I was disturbed to find it. That's because it wasn't meant for me. I don't work for IBM, and I have no connection with either the sender or the intended receiver (whoever that may have been). In fact, my E-mail address doesn't remotely resemble an IBM address. The message had simply been misrouted, the victim of a technical glitch on a server somewhere. Of course, receiving someone's misrouted mail wasn't the scary part; it was the knowledge that my sensitive mail could end up on almost anyone's PC.

Growing companies rushing to embrace the on-line world are unaware of some of the less well publicized security dangers facing them. Innocently misrouted letters are one. Here are some others:

Most Internet users know by now that any account can be targeted by a hacker. But the conventional wisdom is that hackers are looking for "interesting" targets: phone companies, government agencies, large corporations with sensitive files, credit-reporting firms, or organizations with extensive credit-card files. But actually many hackers look for exactly the opposite - small, relatively unknown companies that have little of interest in their computer files.

Why? Because those companies are a perfect place for a new hacker to try out his or her skills. After all, defenses and security awareness are likely to be low at such sites, giving hackers a far better chance of breaking in and rummaging around with little interference or risk of being caught. If your site is unintentionally accommodating to less skilled hackers, you might win the honor of being labeled a "penetration test site" on hacker bulletin boards, which means you'll enjoy frequent visits from hackers all over the world. "Word gets around fast," explains one hacker with an interest in discovering new test sites. That particular hacker has a day job -- in the technical-support department of one of the major on-line services.

But don't feel complacent if your files turn out not to be of interest to hacker wanna-bes. These days, all it takes to be a victim is an E-mail address. That's because extortion, historically the domain of small-time gangsters, has graduated to the sterile and anonymous world of on-line communications. According to stories that have made their way around the Internet, victims of on-line extortion typically receive a short anonymous E-mail note (there are several ways to send a note that can't be traced to the sender's address) demanding a sum of money, perhaps as little as $50. If you refuse to pay, the sender may threaten to "mail-bomb" your E-mail address -- that is, flood your mailbox with hundreds or even thousands of meaningless notes that keep you from using your account. Companies that rely heavily on their Internet accounts for business correspondence can be crippled by such torrents of electronic garbage.

Security is improving on the Internet, but slowly and unevenly. Apparently, awareness of risks is rising at the same creaky pace. I E-mailed a message back to the executive at IBM explaining what must have happened and advising him to look into it. No response. A short while later, I received another misrouted note from IBM, with yet more market information. Some people just don't get it.